|Backdoor.Mtron is a backdoor Trojan that records financial activity and sends it to a remote attacker using IRC.
It also gives the attacker the ability to download and run files on the infected computer.
Copies itself as %System%\MSWinSrv.exe
Attempts to delete all .txt files in the %Cookies% folder.
Records activity in windows that are associated with financial institutions.
It searches for open windows that have any of the following strings in the title bar:
Netbenefits; Fidelity; e-gold; Citibank; Citi
Logs keystrokes in these windows, and sends the information to the attacker using IRC.
No physical log of this information is kept on the local system - meaning that no file is created which stores this data.
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "MSWinSrv"="%system%\MSWinSrv.exe"